I hope you enjoyed the video, if you did, please leave a like and subscribe to the channel, and I'll see you in the next video.
Thanks for watching!
Thanks for watching!
Thanks for watching!
Thanks for watching!
Back in the day of NT4O, if you had a box that was part of a domain structure, when that guy boots up, he's going to initiate a secure channel on the network, talk to a domain controller and say, hey, am I part of this domain or not?
That connection is established over null credentials, initially. No username, no password. Bang. Talks to the domain controller, says, hey, am I part of this domain, yes or no?
If you keep an NT box...
From using that connection, he will not authenticate. He won't even join the domain. It'll say no domain controller was found.
It's also used in... I wish I had more stuff. I like to be an evangelist and come out and...
It's used when... Remember multi-domain structures? You have some trust domains over here, and like, I'll trust these guys, but they won't trust me, or normally it's they trust me, but I don't trust them, right?
Well, they need to be able to grab a list of usernames to grant access to.
Since I don't trust them, the way that they make a connection to enumerate what users they can set on their resources, that's also done with null credentials.
Ooh, air conditioning. Could you stay right there? Thanks.
Got a cool wind blowing in here.
And SMS. Some of the third-party Microsoft apps also use that.
For discovery. Whenever SMS service goes out and wants to see what's on the box and who he is and what he's running, that initial connection to enumerate shares and all that stuff is done as a null user as well.
So, I mean, this guy really has some uses.
All right, so who cares?
I mean, everybody's heard of restrict anonymous and the null user and blah, blah, blah.
It can actually be a substantial hole that...
Evil hackers can use to enumerate information on your network.
Say who?
Yes, no passwords, though.
What was the other one? Comment fields?
Oh, yeah, passwords and comment fields.
Oh, I mean, I would just shoot people and light them on fire if they did that.
Because if you light them on fire and then shoot them, then it's over too quick.
The way that you can do this...
I mean, this has been in Hacking Exposed and all that stuff.
You can use the net command line, an NT, net use, server name slash IPC, interprocess communications resource.
It's always there.
IPC dollar sign, quote, quote, space, whack, user, colon, quote, quote.
And what that does is implicitly set up a null session.
You're using that resource, the IPC resource, with no username and no password.
Well, there's programs out there.
Dump ACL.
It's called, what, Dump Sec now?
Back in the old days, it was Dump ACL, and it's kind of stuck with me.
I should change it.
That guy uses the null user to enumerate all kinds of information.
The modals, your policy information, what the guy can do, what the guy can't do, the shares that are on the machine,
all the usernames, the groups, all of that stuff can be done.
Hey, look at there.
Groups, services, the services you have running can be enumerated in that manner as well.
All kinds of information.
All kinds of information that I can use to footprint your network as an anonymous user.
Okay?
So, let me do a quick little demo here.
Part of the problem with being in the middle of doing Jägermeister shots and someone asks you to do a presentation
is that some stuff is not always set up.
Now, I'm going to see, let me get a little VMWare session, VMWare is cool.
So, for those of you that don't know, what I'm doing is I'm actually instantiating a completely separate machine on the same machine.
So, inside of my active window here, I've got a Windows 2000 machine that's running, that's got RA set to one.
Restrict anonymous set to one.
I'll talk about that in just a sec.
And he's going to do a little demo.
So, he's running here and what I can do is from here, can you all see that?
I made it big and yellow, so I actually thought about that.
Just to show you I have connectivity, what is he, 190?
Just to show you I have connectivity.
Okay.
Did I tell you about my wife yet?
So, as you can see, my VMWare session is working beautifully.
I actually need to wait a second.
It's a Win2K.
Oh, oh.
Hm, hm, hm.
It's still loading.
It's still loading.
up the, as you can imagine, a virtual disk loading up an install of Win2K is a little
big. So I'm going to try this one more time and not look like an idiot, hopefully. Well,
other than the GIA, the whatever. I can't think that quick. And there was much rejoicing.
Thank you. Thank you. Goodbye. Always leave on a high note. All right. So what I'm going
to do is I'm going to run this dump set program. Who's familiar with it? Oh, come on. Who's
familiar with that? Raise your hand anyway. Okay. So what dump set does, and I'm just
going to run it against my own body.
box because my NT4O box doesn't seem to be working very well. I made this kind of big
too. So what I'm going to do is, now in real life this isn't how we would do it. We would
do a net use against the target box. Once we have that net use and that null session
established, then we come back here and tell it to select the computer. I'm just going
to use my own. Why didn't I do 10.1.1.1? Okay. Now, the only reason that that worked
is because I'm authenticated on my own machine. If I wasn't authenticated, it would come up
and say, who are you? Go away. If I had done a net use, then it would also of established
a connection here.
So what I'm going to do is, I'm going to
to dump users as a column. Do I want to do that on my own machine in front of all of
you people? Okay. If none of you figured out that my username was Thor, then you don't
deserve to be here anyway. So you can see I've got my iWAM user account and all these
other, just a couple of users on this box. Alright, so this is what dumpsec does.
So what I'm going to do now is I've established that connection. We saw that I have connectivity
with this box. Let me go over the registry settings. Oh, come on.
Okay. So this was a problem at one point. Okay? Let's kind of jump back to where we
were. No users were out there. I can enumerate all this information. So everybody gets pissed
off at Microsoft, right? So, and still are.
The dev crew decided to introduce this new key, the new value actually, inside the hkey
Key, local machine, system, current control set.
Control, LSA, key.
You create a value called restrict anonymous, D word, and you set it to one.
So what that does is supposedly make some API checks whenever these API calls are being made.
It checks the context that the user is in, and if they're anonymous, it keeps them from doing that.
Meant to stop null session enumeration, and back in the days of C2 specification,
which was the highest level of security a business could attain, right, was the C2 audit.
It could pass a C2 audit.
It was required for that.
So this key being required for C2 made it seem pretty important.
I mean, it gave it a lot of...
Credential.
It gave it some validity.
But there's some problems here, and I'm going to show you that, hopefully.
So I'm going to first establish a null session to my NT2000 box.
Note that it has, this box has restrict anonymous set to one.
I can show you if you want, but, you know, let's start the trust model off right here.
Yeah, that's right.
It is Vegas.
You want to see it.
Well, I'm not going to show you.
Okay, good grief.
Do you really want to see that it's set to one?
Thank you.
Thank you.
See, we only got 15 minutes.
Yay.
So I'm going to do a net use, whack, whack.
Bada-bing, bada-bang, IPC, dollar sign.
It's wrapping, so no password.
The password comes first in this context.
I don't know why.
User, whack, whack, or bang, bang, whatever you want to call it.
The command completed successfully.
Ooh, wait.
The command completed successfully.
Okay.
Oh, and I'm sorry.
Hey, man, that thing is cool.
My kids love it.
Huh?
Oh, yeah, yeah.
If you don't, if you have a cat and don't have a laser pointer, you have no life.
I mean, little Jaeger, the laser pointer, the cat, woo.
Okay.
So you'll notice that it completed successfully, even though we've told it not to let us use null session.
Well, it's not really what we told it.
We told it to restrict what an anonymous user can do.
So I can still link up to that guy.
However, let's go to my desktop.
Go back to DumpSec.
Select.
Ah, hee-ba-ha-ba.
Select that computer.
Bang.
So it blows up, saying error in processing, net server get info status five.
It dies.
Now, I got sucked into this back in the day.
Back when restrict anonymous came in, you know, I don't trust anything, right?
Besides, we all have our development things that we test everything on first.
Then we test it.
Then we put it all into production.
So I set RA to one, ran DumpSec or DumpACL in this case.
It died.
I was happy.
I said, great, that works.
All right.
So let's go over why that there are some problems.
I got to talking to somebody on the security-focused news group.
We were going back and forth about some different things that you could do.
And the point made was that, down here, if you look, user to SID and SID to user.
Who's familiar with that program?
Real old.
I'm used to bars doing that, right?
It's 2 o'clock and they shut the lights off.
That program still works with restrict anonymous set to one.
And that got us talking about why.
So I started doing a bunch of research, started testing different API calls that one could make.
Under the context of a null user.
And came to find out that we had a bunch of them that we could do.
When you set RA to one, it goes out there and says, okay, net server get info.
Remember, that's the first thing that DumpACL died on.
We set an ACL on that.
If you're the null user, it dies.
You can't run it.
You can't do it on net user enum, which enumerates users.
You can't get the users in a group.
You can't get the shares.
You can't get the data.
You can't get the modals.
User to SID and SID to user work because they use these two API calls called look up account name and look up account SID.
It's kind of a cheesy little program, but it works.
You basically say look up the account name for a given SID and it tells you the name of that account.
Or tell it to look up the SID of a user name and it gives you its SID.
So if you can connect up to a box, you can say,
look up account SID guest.
Well, we know guest lives on that box, right?
We know it's called guest.
They can't rename it.
They can't delete it.
We know that the name guests is a valid, that's actually a group, valid group on that box.
So if we do a look up account SID guest, bang, we get the fully qualified SID for that domain.
Well, we know that all they've done is taken the RID, which is the last portion of your SID, the last sub authority.
And all we have to do is put a 500 on that.
Take off the guest, put a 500, resubmit that entire SID, and it tells us the name of the administrator account.
Right?
Because 500 is always the administrator.
So we can always tell, who renames your administrator account?
Right.
It doesn't really matter.
Because all we have to do is say, well, look up account SID, bang, 500, I know what the name of your administrator is.
Just like that.
You can't stop us from doing that.
Okay?
And that's old.
However, in addition, in addition, there is this, there are some that don't have proper ACLs put on them.
One of them is net server transport enum.
That enumerates the transports and use on a box.
Which can be kind of cool.
Back in NT4, whenever you had a RAS device, it had a really nice name of that.
Of the transport called RAS.
So you could, you could enumerate a subnet, as an anonymous user, find out all the transports.
If they're running IP, IPX, net buoy, RAS devices, all of this stuff.
And then you know that people have RAS devices on their network.
Which is not real good.
Right?
Rogue RAS devices lurking in the dark.
Net user get info also doesn't have any.
And that's my favorite.
Net user get info has a couple of different levels.
Levels that can be called.
Level zero gives you the user name.
Level one gives you the age of the account, the home directory.
Level two gives you even more stuff.
And level three, I call it pay dirt, gives you everything.
The password age, the RID, the privileges, the role privileges of that account.
User flags.
All of this extended information.
You have to parse out.
The flag comes back as a D word though.
So you have to parse that out.
And it's a little arduous to do so.
But I went ahead and did it.
It was like four or five white Russians and I was done.
And it works on Windows 2000.
So let me show you that.
So we've got, we've got my null session established.
We saw how dump ACL failed.
Hopefully whoever wrote that's not in the.
I'm going to get you, you bastard.
Okay.
We've got six minutes.
I'll talk quickly.
So user info.
The way user info works is you have to submit a name.
To get the name you need the SID, the full SID in order to be able to provide it with the, you need to provide it with the SID.
So I'm going to say user info.
Whack whack 192.168.5.190.
And let's give it administrator.
Did I spell it right?
I'm used to doing it with two hands.
Bang.
So here's what.
Here's what user info is going to give us.
Now what's the cheesy part about user info?
You've got to know the name of an account.
That kind of stinks.
I mean you're not going to guess B. Jones to see if it's a valid account.
But this is a way to see if it's really the administrator.
See the user ID?
We know that that's really the administrator.
Because his RID is 500.
We know that somebody hasn't created this account called administrator.
They renamed the real administrator.
They have an account called administrator.
And they're trying to screw with us.
So if we try to log in is that they know that we're trying to get in.
We see the password age.
We don't have any of these system flags.
But what the system flags are going to tell us are if this person is an administrator.
Actually I'm sorry this is going to be under the operator proofs.
Are you kicking me out?
I've got six minutes right?
It's only a lot of ten minutes until what you had.
Okay right.
So here we've got the miscellaneous info and all this other crap.
And I even have this neat little graph.
You know this was the hardest part about writing the entire program.
Was getting these stupid little ones and zeros for the hours that they could log on.
And for you on this side.
Okay.
So the problem here is that user info has to be presented with a name.
You have to know the name of the account.
So we got to thinking.
Well we know look up account Sid and look up account name work.
We know user info works.
So what we're going to do is write another program called user dump.
And we're going to combine look up account name, look up account Sid and get user info into one program.
Kind of create a Sid Walker.
We'll provide it with an account that we know exists.
And my example I'm going to do.
I'm running.
Guest.
And what it's going to do is look up the account Sid.
And it's going to start at 500.
This thing is going to increment its way up from there.
And then dump the Sid back out to it to get the name.
And then dump that name in to get user info.
So what we can do.
I'm going to give it 1000.
There's some similar programs that after 20 dead entries die.
And I don't think that that's right.
Because we can delete massive amounts of users and then add them again.
And of course the RIDs increment.
So in a single command line.
I'm going to execute this guy.
And so what we see going by.
On my Windows 2000 machine.
Is every user.
Their privileges.
If they're account operators.
If they're server operators.
If they're administrators or not.
If their passwords never expire.
If they have to have a smart card to log on.
What their log on hours are.
Everything that we need to know.
The last time they changed their password.
And I guess these guys don't exist.
And it's going to go up to 1900.
So.
We can dump all that information out to a text file.
And we already have a beautiful map.
Of all of the users on that domain.
And it's all been done using a null user account.
Even when we've specifically said.
To restrict access to that information.
Ta-da!
Can I have 60 seconds?
Yeah.
No.
Now.
There's one additional program.
I don't have here.
And we don't have time to show it to you.
It's called TSEnum.
It's on the Hammer of God website.
If you're interested in enumerating machines.
It's a new method that we've been.
Eric Bergholtz.
Clinton Mudge.
The guys at Foundstone.
Like to hide their terminal servers.
That way you don't know they're there.
And that's a bad thing.
Because terminal servers can be really dangerous.
If one of your users hides a terminal server on your network.
It can open up some bad things.
So.
What this program does.
If you're interested in it.
It's called TSEnum.
You can go to the website.
And download it.
It will.
You specify a target.
You say TSEnum.
That guy.
What that guy will do.
Is ask it's master browser.
What machines can you see on this network?
It will then tunnel that information back to me.
You can use that as an anonymous user.
So.
A buddy of mine tested on one of his resource domains.
And in two seconds.
Got 598 machines.
It tells you the type of machine.
If it's a domain controller.
If it's a sequel server.
If it's a terminal server.
All of that information is registered with the master browser.
When the machine boots up.
Right.
He boots up to the master browser.
Says.
Hey.
I'm on the network.
And I happen to be a sequel server.
And a terminal server.
And a domain controller.
Thank you very much.
So.
Then you can download all that information as well.
So.
They're kicking me out of here.
Thanks very much.
Thanks for putting up with me.
